IIIF Auth v2 handles IIIF Authorization Flow API 2.0 requests and is an implmementation of DLCS RFC 012
There is a Dockerfile and docker-compose file for running app:
# build docker image
docker build -t iiif-auth-2:local .
# run image
docker run -it --rm \
--name iiif-auth-2 \
-p "8014:80" \
iiif-auth-2:local
# run via docker-compose
docker compose upFor local debugging the docker-compose.local.yml file can be used, this will start an empty Postgres instance.
docker compose -f docker-compose.local.yml upThe following appSetting configuration values are supported:
| Name | Description | Default |
|---|---|---|
| OrchestratorRoot | Base URI for Orchestrator, used to generate links | |
| DefaultSignificantGestureTitle | Fallback title to use on SignificantGesture.cshtml | "Click to continue" |
| DefaultSignificantGestureMessage | Fallback message to use on SignificantGesture.cshtml | "You will now be redirected to DLCS to login" |
| Auth__CookieNameFormat | Name of issued cookie, {0} value replaced with customer Id |
"dlcs-auth2-{0} |
| Auth__SessionTtl | Default TTL for sessions + cookies (in seconds) | 600 |
| Auth__RefreshThreshold | UserSession expiry not refreshed if LastChecked within this number of secs | 120 |
| Auth__JwksTtl | How long to cache results of JWKS calls for, in secs | 600 |
| GesturePathTemplateForDomain | Dictionary that allows control of domain-specific significant gesture paths. {customerId} replaced. |
|
| OAuthCallbackPathTemplateForDomain | Dictionary that allows control of domain-specific oauth2 callback paths. {customerId} + {accessService} replaced. |
A note on Dictionarys for domain-specific paths. A key of
"Default"serves as fallback but isn't necessary if the default value matches the canonical DLCS path.
Migrations can be added by running the following:
cd src/IIIFAuth2
dotnet ef migrations add "{migration-name}" -p IIIFAuth2.API -o Data/MigrationsMigrations are applied on startup, regardless of environment, if "RunMigrations" = "true".
This service is an extension of DLCS Protagonist and once deployed will run under the same host as the main DLCS.
Below are steps for running iiif-auth-v2 and Orchestrator locally:
- Create a
customer_cookie_domainfor required customer (e.g. 99). As orchestrator and iiif-auth-v2 will be running on different ports this is necessary as otherwise orchestrator won't see required cookies.INSERT INTO customer_cookie_domains (customer, domains) values (99, 'localhost');
- In iiif-auth-v2 set
"OrchestratorRoot": "https://localhost:5003"appSetting (default from orchestrator launchSettings) - In orchestrator set
"Auth__Auth2ServiceRoot": "https://localhost:7049/auth/v2/"appSetting (default from orchestrator launchSettings) - In orchestrator change the last line of
ConfigDrivenAuthPathGenerator.GetAuth2PathForRequestto:
var auth2PathForRequest = request.GetDisplayUrl(path, includeQueryParams: false);
return auth2PathForRequest.Contains("probe") ? auth2PathForRequest : auth2PathForRequest.Replace(host, "localhost:7049");Point 4 is a hack and should be addressed in a better manner. It is required as the default path rewrite rules won't work as all auth paths aren't on the root domain